From f50eedbd5104bdde1bd82b27f601d3af79615852 Mon Sep 17 00:00:00 2001
From: Quentin Kaiser <quentin.kaiser@onekey.com>
Date: Thu, 26 Sep 2024 21:22:07 +0200
Subject: [PATCH] fix(ci): adjust container scan fail-build parameter.

Failing the build does not really help since we're highly dependent on
Debian maintainers to publish fixes, which means it would block Docker
image releases until a fix is available in upstream Debian (we're using
python3.8-slim Docker image, which itself is based on bookworm-slim).

The bug that's currently failing the build
(https://nvd.nist.gov/vuln/detail/CVE-2024-45490) is not critical
considering our use case.

Also, not failing the build allows the action to finish and push the
SARIF results to Github Security panel so we can have a look and be
notified. It's not like it's going away.
---
 .github/workflows/build-publish-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml
index 42b98008c3..02fce46245 100644
--- a/.github/workflows/build-publish-image.yml
+++ b/.github/workflows/build-publish-image.yml
@@ -76,7 +76,7 @@ jobs:
         uses: anchore/scan-action@v4
         with:
           image: ${{ env.DOCKER_IMAGE }}
-          fail-build: true
+          fail-build: false
           severity-cutoff: critical
           only-fixed: true